Project

General

Profile

Feature #6975

Changing UID/GID when calling spawn/popen

Added by vihai (Daniele Orlandi) over 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
-
[ruby-core:47414]

Description

Hello,

If I am not wrong it seems that there is no way to properly drop all privileges when spawning a process with spawn/popen.

AFAIK, proper privilege dropping should be done after the fork() and before the exec() and there doesn't seem to be such functionality neither an hook like Python has.

Thanks,
Bye,

Associated revisions

Revision 37124
Added by nobu (Nobuyoshi Nakada) about 5 years ago

process.c: uid gid exec options

  • process.c (rb_execarg_addopt, rb_execarg_run_options): add :uid and :gid options. [Feature #6975]

Revision 37124
Added by nobu (Nobuyoshi Nakada) about 5 years ago

process.c: uid gid exec options

  • process.c (rb_execarg_addopt, rb_execarg_run_options): add :uid and :gid options. [Feature #6975]

Revision 37124
Added by nobu (Nobuyoshi Nakada) about 5 years ago

process.c: uid gid exec options

  • process.c (rb_execarg_addopt, rb_execarg_run_options): add :uid and :gid options. [Feature #6975]

Revision 37124
Added by nobu (Nobuyoshi Nakada) about 5 years ago

process.c: uid gid exec options

  • process.c (rb_execarg_addopt, rb_execarg_run_options): add :uid and :gid options. [Feature #6975]

History

#1 [ruby-core:47416] Updated by nobu (Nobuyoshi Nakada) over 5 years ago

  • Description updated (diff)
  • Category set to core
  • Assignee set to akira (akira yamada)

Here is a patch
https://github.com/nobu/ruby/compare/uid-gid_exec_options

But I have no ideas how to test this feature.

#2 [ruby-core:47417] Updated by akr (Akira Tanaka) over 5 years ago

  • Assignee changed from akira (akira yamada) to akr (Akira Tanaka)

posix_spawn has an option to dropping privileges: POSIX_SPAWN_RESETIDS

I guess primitive setuid/setgid is too generic for this use case.

#3 Updated by nobu (Nobuyoshi Nakada) about 5 years ago

  • Status changed from Open to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r37124.
Daniele, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


process.c: uid gid exec options

  • process.c (rb_execarg_addopt, rb_execarg_run_options): add :uid and :gid options. [Feature #6975]

#4 [ruby-core:51989] Updated by vihai (Daniele Orlandi) almost 5 years ago

Thank you very much!

However it would useful and recommendable if spawn could also initialize additional groups, either directly via setgroups(2) or via initgroups(3)

Do you agree?
Should I create a new feature request?

#5 [ruby-core:52024] Updated by kosaki (Motohiro KOSAKI) almost 5 years ago

Should I create a new feature request?

Yes, please make another ticket.

Also available in: Atom PDF